Data, metadata & personal information: landmark Federal Court ruling

Snapshot

The Privacy Act 1988 (Cth) places a set of legal obligations on businesses and government agencies alike. These obligations are triggered whenever data meets the definition of ‘personal information’.

In a landmark case, the Federal Court ruled against the Privacy Commissioner and determined that the definition of ‘personal information’ has two elements: data must pass a subject matter test, and an identifiability test.

The case was decided on narrow grounds under an earlier version of the legislation, so its application to other organisations is not immediately apparent.

In 2013, the Australian Government was preparing to introduce its mandatory data retention laws, to require telcos to keep ‘metadata’ on their customers for two years in case the data was needed later for national security or law enforcement purposes.

A Fairfax technology journalist, Ben Grubb, was curious as to what metadata, such as the geolocation data collected from mobile phones, would actually reveal about an individual. He wanted to illustrate the power of geolocation data to reveal insights into not only our movements, but our behaviour, intimate relationships, health concerns or political interests.

Exercising his rights under what was then National Privacy Principle (NPP) 6.1 in the Privacy Act 1988 (Cth), Ben sought access from his mobile phone service provider, Telstra, to his personal information – namely, ‘all the metadata information Telstra has stored about my mobile phone service (04…)’.

The law as at 2013

At the time of Ben’s access request, the definition of ‘personal information’ was: ‘information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion’.

NPP 6.1 was known as the Access principle. It provided that: ‘If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual, except to the extent that …’.

It should be noted that amendments to the Privacy Act came into force in March 2014, changing the definition of personal information, and replacing the NPPs with the new Australian Privacy Principles.

The path to the Federal Court

Telstra refused access to various sets of information, including location data, on the basis that it was not ‘personal information’ subject to NPP 6.1. Ben lodged a complaint with the Australian Privacy Commissioner. While the complaint was ongoing, Telstra provided Ben with billing information, outgoing call records, and the cell tower location information for his mobile phone at the time when he had originated a call.

What was not provided, and what Telstra continued to argue was not ‘personal information’ and thus need not be provided, included ‘network data’. Telstra argued that geolocation data – the longitude and latitude of mobile phone towers connected to the customer’s phone at any given time, whether the customer is making a call or not – was not ‘personal information’ about a customer, because on its face the data was anonymous.

The Privacy Commissioner ruled against Telstra on that point in May 2015, finding that a customer’s identity could be linked back to the geolocation data by a process of cross-matching different datasets (Ben Grubb and Telstra Corporation Limited [2015] AICmr 35). Privacy Commissioner Timothy Pilgrim found that data which ‘may’ link data to an individual, even if it requires some ‘cross matching … with other data’ in order to do so, is ‘information … about an individual’, whose identity is ascertainable, meaning ‘able to be found out by trial, examination or experiment’ (at [68]). The Privacy Commissioner ordered that Telstra hand over the remaining cell tower location information.

Telstra appealed the Privacy Commissioner’s determination, and in December 2015 the Administrative Appeals Tribunal (AAT) found in Telstra’s favour – but not on the grounds argued up to that point (Telstra Corporation Limited and Privacy Commissioner [2015] AATA 991).

The case turned on how the definition of ‘personal information’ should be interpreted, with both parties arguing about whether or not Ben was ‘identifiable’ from the network data, including how much cross-matching with other systems or data could be expected to be encompassed within the term ‘can reasonably be ascertained’. Nonetheless, the AAT drew no solid conclusion about whether or not Ben was actually identifiable from the network data in question. Instead, the AAT questioned whether the information was even ‘about’ Ben at all.

The AAT found that there was a two-step process to meeting the definition of ‘personal information’: the information must be about an individual, and in a separate inquiry, that individual must be reasonably identifiable from that information. The AAT stated:

‘The starting point must be whether the information or opinion is about an individual. If it is not, that is an end of the matter and it does not matter whether that information or opinion could be married with other information to identify a particular individual’ (Telstra Corporation Limited and Privacy Commissioner at [95]).

In other words, the AAT’s position was that the fact the information might relate or link back to an individual does not necessarily make it ‘about’ that individual. Giving an example of the Tribunal member’s history of car repairs, the AAT stated:

‘A link could be made between the service records and the record kept at reception or other records showing my name and the time at which I had taken the care (sic) in for service. The fact that the information can be traced back to me from the service records or the order form does not, however, change the nature of the information. It is information about the car … or the repairs but not about me’ (at [96]).

The AAT therefore concluded that mobile network data was about connections between mobile devices, rather than ‘about an individual’, notwithstanding that a known individual triggered the call or data session which caused the connection:

‘The data is all about the way in which Telstra delivers the call or the message. That is not about Mr Grubb. It could be said that the mobile network data relates to the way in which Telstra delivers the service or product for which Mr Grubb pays. That does not make the data information about Mr Grubb. It is information about the service it provides to Mr Grubb but not about him’ (at [112]).

In our view, this narrow, binary formulation – that information can only be ‘about’ one thing – could lead to some disastrous applications. For example, banks could avoid their privacy responsibilities by arguing that their records are only ‘about’ transactions, not the people sending or receiving money as part of those transactions; or hospitals could claim that medical records are ‘about’ clinical procedures, not their patients.

Not surprisingly, the Privacy Commissioner sought to appeal against the AAT’s interpretation.

The Federal Court decision

The Privacy Commissioner argued that the phrase ‘about an individual’ in the definition of ‘personal information’ was redundant, and should simply be ignored. The Federal Court, in a unanimous decision by Justices Dowsett, Kenny and Edelman, flatly rejected that line of argument: ‘We do not accept this submission’ (Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 at [62]).

The Court confirmed that there are two elements to the definition of ‘personal information’: the information must be ‘about’ an individual, and that individual’s identity must be reasonably ascertainable.

The Federal Court stated: ‘in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion’ (at [63]).

In relation to the about element, the Federal Court said:

‘The words “about an individual” direct attention to the need for the individual to be a subject matter of the information or opinion. This requirement might not be difficult to satisfy. Information and opinions can have multiple subject matters’ (at [63]).

By saying that the individual needs to ‘be a subject matter’ of the information, this judgment may have had the effect of slightly narrowing the definition of ‘personal information’, more so than if the language of ‘relating to’ had been used instead. (By contrast, the latest European privacy law, the General Data Protection Regulation, defines ‘personal data’ more simply as ‘any information relating to an identified or identifiable natural person’.)

However, importantly, the Federal Court also said: ‘[E]ven if a single piece of information is not “about an individual” it might be about the individual when combined with other information’ (at [63]).

The judges stressed the need to consider ‘the totality of the information’ (at [63]). In other words, linkability to an identifiable individual might still make something ‘personal information’.

In our view, the Federal Court diverged from the AAT’s narrower view, by allowing:

(a) that information may have multiple subject matters; and

(b) that the construction of the subject matter can be influenced by the context, ie if the data is combined with other data, it might then become ‘about’ an individual.

The limits to this decision

The Federal Court decision is frustrating in many ways. Because the case was only about a question of law, not the application of that law to a particular set of facts, we are left with unanswered questions such as:

whether or not the metadata was ‘about’ Ben Grubb;

whether or not Ben Grubb’s identity could be ascertained from the metadata (alone or in conjunction with other data); and thus

whether or not Ben Grubb’s metadata was ‘personal information’.

The only thing decided by the Federal Court was that the phrase ‘about an individual’ is an important element in the definition of personal information, as the definition existed in 2013.

In our view, if it had been allowed to examine the merits of the case, the Federal Court might have overturned the AAT’s decision, on the basis that the information in question could be about both ‘the way in which Telstra delivers the service or product for which Mr Grubb pays’ and ‘about Mr Grubb’.

Where does this leave us?

The definition of ‘personal information’ changed in 2014. It now says ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable …’.

So while that element of ‘about’ is still there, it is now a little more intertwined with the element of ‘identifiability’. It’s not clear whether that subtle change in language makes any practical difference, but we suggest that one cannot just assume that the Federal Court judgment directly applies to the law as it stands today.